Now dnssec validation will be done if the dns server being queried supports it.

+

Now dnssec validation will be done if the dns server being queried supports it. Note that including dnssec checking siginificantly increases dns lookup times for initial lookups. Once an address is cached then the lookup is virtually instantaneous.

Installation

Pre-configuration

For querying a host that is not cached as an address the resolver needs to start at the top of the server tree and query the root servers to know where to go for the top level domain for the address being queried. Therefore it is necessary to put a "root hints" file into the unbound config directory. The simplest way to do this is to run the command:

It is a good idea to run this every six months or so in order to make sure the list of root servers is up to date. This can be done manually or by setting up a cron job for the task.

If you are going to use DNSSEC then you will need the root server trust key anchor in the file root.key which you can place in a directory owned by user unbound.

mkdir /etc/unbound/keys
chown unbound:unbound /etc/unbound/keys

Then create the file root.key and place it in this directory [/etc/unbound/keys/] and make sure the file root.key is owned by user unbound as below.

The line below is the 2010 trust anchor for the root zone, and this line is the only line in the file root.key. You can independently verify the root zone anchor by going to the IANA.org Index of /root-anchors.

Then you can include the logging parameter when you set up the main unbound.conf file as below.

Basic configuration

Unbound configuration

Unbound is easy to configure. In the directory /etc/unbound/ there is a sample config file [unbound.conf.example] which can be copied to /etc/unbound/unbound.conf and with the adjustments to the file for your own needs it is enough to run on both IPv4 and IPv6 without access restrictions. Once copied to unbound.conf and then uncomment lines or add in lines as needed.

For the case where you want the unbound server to listen to requests from the machine that it is running on then make sure that the line defining which address it is going to listen on is included:

interface: 127.0.0.1

It is also important to include a line to point to the root.hints file that was prepared before editing the unbound.conf file:

root-hints: "/etc/unbound/root.hints"

If you have a local network which you wish to have dns queries for and there is a local dns server that you would like to forward queries to then you should include the line: private-address for say the 10. or 192.168. networks as:

private-address: 10.0.0.0/24

or

private-address: 192.168.0.0/16

To include a local dns server for both forward and reverse local addresses a set of lines similar to these below is necessary with a forward and reverse lookup (choose the ip address of the server providing dns for the local network accordingly by changing 10.0.0.1 in the lines below):

local-zone: "10.in-addr.arpa." transparent

This line above is important to get the reverse lookup to work correctly.

Note that there is a difference between forward zones and stub zones - stub zones will only work when connected to an authoritative dns server directly. This would work for lookups from a bind dns server if it is providing authoritative dns - but if you are referring queries to an unbound server in which internal lookups are forwarded on to another dns server, then defining the referral as a stub zone in the machine here won't work. In that case it is necessary to define a forward zone as above, since forward zones can have daisy chain lookups onward to other dns servers. i.e. forward zones can refer queries to recursive dns servers. This distinction is important as you don't get any error messages indicating what the problem is if you use a stub zone inappropriately.

You can set up the localhost forward and reverse lookups with the following lines:

Then to use specific servers for default forward zones that are outside of the local machine and outside of the local network (i.e. all other queries will be forwarded to them, and then cached) add this to the configuration file (and in this example the first two addresses are the fast google dns servers):

Set /etc/resolv.conf to use the local DNS server

Also if you want to be able to use the hostname of local machine names without the fully qualified domain names, then add a line with the local domain such as:

domain localdomain.com
nameserver 127.0.0.1

That way you can refer to local hosts such as mainmachine1.localdomain.com as simply mainmachine1 when using the ssh command, but the drill command below still requires the fully qualified domain names in order to perform lookups.

Testing the server before making it default can be done using the drill command from the ldns package with examples from internal and external forward and reverse addresses:

where w.x.y.z can be a local or external ip address and the -x option requests a reverse lookup. Once all is working, and you have /etc/resolv.conf set to use 127.0.0.1 as the nameserver then you no longer need the @127.0.0.1 in the drill command, and you can test again that it uses the default dns server - check that the server used as listed at the bottom of the output from each of these commands shows it is 127.0.0.1 being queried.

Configuring Unbound to Validate DNSSEC

Make sure that the root anchor key file exists as described earlier in the page:

Edit unbound.conf, adding the following line to the server: block:

auto-trust-anchor-file: "/etc/unbound/keys/root.key"

Also make sure that if a general forward to the google servers had been in place, then comment them out otherwise dns queries will fail.

Restart unbound:

systemctl restart unbound

Now dnssec validation will be done if the dns server being queried supports it. Note that including dnssec checking siginificantly increases dns lookup times for initial lookups. Once an address is cached then the lookup is virtually instantaneous.

Adding an authoritative dns server

For users who wish to run both a validating, recursive, caching dns server as well as an authoritative dns server on a single machine then it may be useful to refer to the wiki page nsd which gives an example of a configuration for such a system. Having one server for authoritative dns queries and a separate dns server for the validating, recursive, caching dns functions gives increased security over a single dns server providing all of these functions. Many users have used bind as a single dns server, and some help on migration from bind to the combination of running nsd and bind is provided in the nsd wiki page.

WAN facing dns

It is also possible to change the configuration files and interfaces on which the server is listening so that dns queries from machines outside of the local network can access specific machines within the LAN. This is useful for web and mail servers which are accessible from anywhere, and the same techniques can be employed as has been achieved using bind for many years, in combination with suitable port forwarding on firewall machines to forward incoming requests to the right machine.